MD5: c003ae5db8eb8df858c3b15d1f3e7b76
SHA1: 36f9136e975c09c436899fb6af57fc9ecc09502b
SHA256: de96ec54dfc69946438edff1fcd4e29ddc93b70b40e645817c6c93b0deee12b0
SSDeep: 6144:Ie34/98lb8nxLvPe/ElIfMid8ksFpetM6FDeDC2tc0qgmGrqY:c5nxTPu4FRdtcDQ
Size: 380713 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

GoogleUpdate.exe:3808
GoogleUpdate.exe:572
GoogleUpdate.exe:416
GoogleUpdate.exe:352
GoogleUpdate.exe:2100
GoogleUpdate.exe:2264
GoogleUpdateSetup.exe:2092
sid2wav.exe:3628

The Trojan-Downloader injects its code into the following process(es):

UI0Detect.exe:1648
UI0Detect.exe:552
setup.exe:3604
%original file name%.exe:3528

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3808 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\Google\Update\Install\{6F2F77A1-8FDA-4D29-A10A-DEF2EE7BBD51}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)

The Trojan-Downloader deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{928C03D1-69D1-4FA3-B9A9-83CD0919E73C}-GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)

The process GoogleUpdate.exe:352 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\GUM83EE.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)

The Trojan-Downloader deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process GoogleUpdateSetup.exe:2092 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\GUM83EE.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM83EE.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM83EE.tmp (32 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM83EE.tmp\psuser.dll (206 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM83EE.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM83EE.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUT83EF.tmp (7 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM83EE.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM83EE.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM83EE.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sr.dll (43 bytes)

The Trojan-Downloader deletes the following file(s):

%Program Files%\GUM83EE.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM83EE.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM83EE.tmp (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM83EE.tmp\psuser.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM83EE.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM83EE.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUT83EF.tmp (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM83EE.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM83EE.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM83EE.tmp\goopdateres_sr.dll (0 bytes)

The process sid2wav.exe:3628 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\music.wav (4995468 bytes)

The process setup.exe:3604 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\music.sid (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SID2WAV.EXE (2957 bytes)
C:\Windows\System32\drivers\etc\hosts (894 bytes)

The process %original file name%.exe:3528 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\launcher[1].htm (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\B (5128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\onOfAFD3vz (171 bytes)

The Trojan-Downloader deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE011.tmp (0 bytes)

Registry activity

The process GoogleUpdate.exe:3808 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\PersistedPings\{05A3BE06-79D8-42CF-B0B9-32869829BC1D}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{277CCAA8-754F-482D-911C-1B9A3CF941F2}]
"PersistedPingTime" = "131738801360042242"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529391603"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529391603"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529391603"
"ping_freshness" = "{F44A651A-C9E1-45CF-B74C-E7E7156B2DB2}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529406543"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{4197B69E-4820-434E-A6B8-8659CF99565A}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529391603"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{277CCAA8-754F-482D-911C-1B9A3CF941F2}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{05A3BE06-79D8-42CF-B0B9-32869829BC1D}]
"PersistedPingTime" = "131738801434682382"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{33014D16-BBDD-434E-9BE4-C8D8C610B68C}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529406543"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529391603"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan-Downloader deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{277CCAA8-754F-482D-911C-1B9A3CF941F2}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{05A3BE06-79D8-42CF-B0B9-32869829BC1D}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

The process GoogleUpdate.exe:572 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:416 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan-Downloader deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:352 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{07BA6F6A-D645-49E1-9212-63E964E45546}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{07BA6F6A-D645-49E1-9212-63E964E45546}]
"PersistedPingTime" = "131738801858883484"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529406585"

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529406585"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

The Trojan-Downloader deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{07BA6F6A-D645-49E1-9212-63E964E45546}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process GoogleUpdate.exe:2100 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2264 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan-Downloader deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process setup.exe:3604 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "setup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3528 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\c003ae5db8eb8df858c3b15d1f3e7b76_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

The Trojan-Downloader modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 894 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://dna4mm5c1mahl.cloudfront.net/launcher.php?p=sevenzip&tid=24606074&pid=2736&n=V1lTSVdZRyBXZWIgQnVpbGRlciAxNC4wLjAgRnVsbCBXaXRoIE1lZGljaW5lW0JhYnVQQ10=&b_typ=pe
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529406497&mv=m&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529406497&mv=m&pcm2cms=yes&pl=24&shardbypass=yes	80.91.179.80
hxxp://lose.scarffriction.men/launcher.php?p=sevenzip&tid=24606074&pid=2736&n=V1lTSVdZRyBXZWIgQnVpbGRlciAxNC4wLjAgRnVsbCBXaXRoIE1lZGljaW5lW0JhYnVQQ10=&b_typ=pe	13.32.56.121
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe	172.217.21.238
update.googleapis.com	172.217.21.227
tools.google.com	172.217.21.238

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

Web Traffic was not found.

The Trojan-Downloader connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleUpdate.exe:3808
   GoogleUpdate.exe:572
   GoogleUpdate.exe:416
   GoogleUpdate.exe:352
   GoogleUpdate.exe:2100
   GoogleUpdate.exe:2264
   GoogleUpdateSetup.exe:2092
   sid2wav.exe:3628
   

2. Delete the original Trojan-Downloader file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Downloader:
   

   %Program Files%\Google\Update\Install\{6F2F77A1-8FDA-4D29-A10A-DEF2EE7BBD51}\GoogleUpdateSetup.exe (7596 bytes)
   %Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_en.dll (45 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
   %Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
   %Program Files%\GUM83EE.tmp\goopdate.dll (49 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
   %Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
   %Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
   %Program Files%\Google\Update\1.3.31.5 (28 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_vi.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_da.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_tr.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_iw.dll (40 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_es.dll (45 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdate.exe (308 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_pl.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateCore.exe (838 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ms.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_hu.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_fr.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_zh-CN.dll (36 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_id.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\psmachine.dll (206 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_mr.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_uk.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ur.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ko.dll (38 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ro.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_cs.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_gu.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ca.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ar.dll (41 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_en-GB.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_it.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\psuser.dll (206 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_pt-PT.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_el.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_fa.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_fil.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_pt-BR.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_te.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\npGoogleUpdate3.dll (838 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_es-419.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateSetup.exe (7547 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_sl.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\psmachine_64.dll (248 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_nl.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_no.dll (43 bytes)
   %Program Files%\GUT83EF.tmp (7 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_sw.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_bg.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_am.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateOnDemand.exe (96 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_lv.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateBroker.exe (96 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_kn.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_bn.dll (44 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ml.dll (46 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_hr.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateHelper.msi (40 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_et.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ru.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\psuser_64.dll (248 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_zh-TW.dll (36 bytes)
   %Program Files%\GUM83EE.tmp\GoogleCrashHandler.exe (550 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ja.dll (39 bytes)
   %Program Files%\GUM83EE.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_de.dll (45 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_is.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_ta.dll (45 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_th.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\GoogleCrashHandler64.exe (550 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_hi.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_fi.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_sv.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_sk.dll (43 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_lt.dll (42 bytes)
   %Program Files%\GUM83EE.tmp\goopdateres_sr.dll (43 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\music.wav (4995468 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\music.sid (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SID2WAV.EXE (2957 bytes)
   C:\Windows\System32\drivers\etc\hosts (894 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\launcher[1].htm (171 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\inetc.dll (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\B (5128 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslE012.tmp\onOfAFD3vz (171 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.